At least one of these must apply whenever you process personal data. There may be more than one. Select the one which is appropriate to the activity you are doing:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Special data

We have already set out what special data is:
Special data is:
Special categories of personal data that reveals:

  • racial or ethnic origin;
  • political opinions;
  • religious and philosophical beliefs;
  • Trade Union membership;
  • genetic data;
  • biometric data for uniquely identifying a natural person; and
  • sex life and sexual orientation.

Where you process special data then:
In order to lawfully process special category data, you must identify both a lawful basis and a separate condition. These do not have to be linked.
The conditions to be applied are:

  • The data subject has provided explicit consent
  • The processing is necessary for:
  • carrying out the data controller's rights in the field of employment law, social security, and social protection;
  • protecting the vital interests of the data subject when the data controller cannot obtain consent;
  • establishing, exercising, or defending legal claims;
  • reasons of substantial public interest;
  • purposes of preventive or occupational medicine to assess the working capacity of a data subject, medical diagnosis, or for the provision of health or social care or treatment;
  • reasons of public interest in the area of public health;
  • archiving in the public interest; or
  • scientific, historical research, or statistical purposes.
  • The processing relates to the legitimate activities of certain non-profit organizations.
  • The processing relates to personal data made public by the data subject.


Looking for Privacy Notice Help?

Buy Your Privacy Notice Online

Personal Data Checklist


Our Services



    HR & Health and Safety Support

  • Tools to help manage and protect your business with online support

  • Online Support
  • Remote Support
  • On-Site Support


    HR & Health and Safety Support

  • Quest provide the tools and work with you remotely to support you and your business

  • Online Support
  • Remote Support
  • On-Site Support
  • GOLD


    HR & Health and Safety Support

  • Your personal people solution supporting your business on site

  • Online Support
  • Remote Support
  • On-Site Support

Contact Us

Looking for Support

Please provide a value for Contact Telephone Number

Quest Contact Details

01455 852028 – General enquiries

* Please note that all calls may be recorded for training or monitoring purposes.

Email – General enquiries – Sales enquiries